#2770 [RFE] Create a monitoring role
Closed: fixed 5 years ago Opened 11 years ago by danieljamesscott.

Currently anonymous users do not have permission to check the replication status of LDAP servers. The ldif to add the aci is:

dn: cn="dc=example,dc=com",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)

The same ldif, with 'cn="o=ipaca"' is required for pki-ca monitoring.

Technically, the best attributes would be:

nsDS5ReplicaHost||nsds5replicaLastUpdateStatus||nsds5replicaLastUpdateStart||nsds5replicaLastUpdateEnd||nsds5replicaLastInitStart||nsds5replicaLastInitEnd||nsds5replicaUpdateInProgress

But there must be an additional permission required because monitoring doesn't work if I only grant permission to the above attributes.


I recommend to make it optional, somebody can want to hide these information.

LDIF with "allow" modification in /usr/share/doc/ipa can be enough, I think. It is "advanced" change and (I think) most users will ignore it.

In general we want the ability to read replication status to be something that can be delegated. Whether we'd make this delegatable to anonymous I'm not sure, I don't believe we currently provide a way to specify that in the permission plugin.

As a rule we've been limiting what anonymous can do rather than expanding. Making this world readable exposes the current IPA servers and their replication topology. I think we'd recommend at least creating a user in cn=sysaccounts rather than using anonymous.

Create a monitoring role and may be create a special user.

We need this functionality at my workplace so taking this on to contribute.

A read only replication monitoring permission and privilege will be set up that a user can then be added to for read only access to the appropriate attributes.

Thank you, contributions are welcome.

Just FYI - I filed ticket #3829 to add the "Read replication agreements" permission (before I saw this ticket). It is very related, almost a duplicate. But given it is a subset of this ticket, I won't close it right away.

I've taken ownership of that ticket then as a subset of this one ...

They'll both be closed by the same patch (working on it today so expect it in the next 48 hours or so after some testing here and so on).

Cool! Just in case you did not study it yet, please check http://www.freeipa.org/page/Contribute, section "Working with the Codebase" before sending the patches - especially the Patch Format and Coding Style Guides.

Metadata Update from @danieljamesscott:
- Issue assigned to jhogarth
- Issue set to the milestone: Ticket Backlog

7 years ago

Delegation was added for reading agreements in ticket https://fedorahosted.org/freeipa/ticket/5631 (it is the final correction for some previous attempts).

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata